Abstract
Vulnerability assessment and security configuration activities are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system’s event logs provide historical information depicting potential security breaches, as well as recording configuration activities. However, identifying and utilising knowledge within the event logs is challenging for the non-expert. In this paper, a novel technique is developed to process security event logs of a computer that has been assessed and configured by a security professional, extract key domain knowledge indicative of their expert decision making, and automatically apply learnt knowledge to previously unseen systems by non-experts. The technique converts event log entries into an object-based model and dynamically extracts associative rules. The rules are further improved in terms of quality using a temporal metric to autonomously establish temporal-association rules and acquire a domain model of expert configuration tasks. The acquired domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system’s security. Empirical analysis is subsequently performed on 20 event logs, where identified plan traces are discussed in terms of accuracy and performance.
Original language | English |
---|---|
Pages (from-to) | 116-127 |
Number of pages | 12 |
Journal | Expert Systems with Applications |
Volume | 113 |
Early online date | 3 Jul 2018 |
DOIs | |
Publication status | Published - 15 Dec 2018 |
Fingerprint
Dive into the research topics of 'Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach'. Together they form a unique fingerprint.Profiles
-
Simon Parkinson
- Department of Computer Science - Professor
- School of Computing and Engineering
- Centre for Cybersecurity - Director
- Centre for Planning, Autonomy and Representation of Knowledge - Associate Member
Person: Academic